Search:  
Gentoo Wiki

HOWTO_Anonymity_with_Tor_and_Privoxy


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

Introduction

This HOWTO explains how to browse the web anonymously by using Tor (TheOnionRouter) and Privoxy. Tor can also be used to make other network clients (instant messaging, Usenet, etc) act anonymously. This HOWTO also explains how to set up servers on your machine available anonymously through Tor's "hidden services" mechanism.

Do NOT use tor to abuse sites... let's keep the tor community clean!

Setting It Up

As root:

# emerge -av net-misc/tor net-proxy/privoxy

Add this line to /etc/privoxy/config (anywhere is fine, but line 1160 looks like the right place):

File: /etc/privoxy/config
forward-socks4a / localhost:9050 .
# Don't forget the '.' at the end!
Note: In the default configuration of privoxy, it will send your originating IP in a http header. This obviously breaks your anonymity if it is your public IP. In the actions, enable at least -add-header and +hide-forwarded-for-headers. You can do this either in the .action files (read the manual) or, once privoxy is running, via http://config.privoxy.org/show-status. COMMENT: This is the default configuration now.
Note: Privoxy's default configuration logs all GET, POST, and CONNECT HTTP requests. If you wish to avoid leaving your browsing history on your computer, comment out the following line in /etc/privoxy/config at about line 578 like so:
#debug   1    # show each GET/POST/CONNECT request
Note: If you wish to connect to your proxy from other machines, you need further editing of /etc/privoxy/config. Search for "listen-address" and read the commented explanation.

It is a common setup to have a proxy in the local network which is accessible from every other host on the network. So if your network is 192.168.0.0 and your proxy 192.168.0.1, use:

File: /etc/privoxy/config
listen-address  192.168.0.1:8118
Note: If your firewall works by blocking ports (like mine), then you can tell Tor to only use the ports that your firewall permits by adding "FascistFirewall 1" to your torrc configuration file.

By default, when you set this Tor assumes that your firewall allows only port 80 and port 443 (HTTP and HTTPS respectively). You can select a different set of ports with the FirewallPorts option.

As of Tor 0.1.1.6-alpha, FascistFirewall and FirewallPorts replaced with a new config option:

ReachableAddresses *:80,*:443

As of Tor 0.1.1.14-alpha ReachableAddresses will be split in two:

ReachableDirAddresses *:80
ReachableORAddresses *:443

This is taken from this link

Start tor:

# cp /etc/tor/torrc.sample /etc/tor/torrc
# /etc/init.d/tor start

Start privoxy:

# /etc/init.d/privoxy start

Add tor and privoxy to the default runlevel if you want them to start on bootup.

# rc-update add privoxy default
# rc-update add tor default

How to use Tor/Privoxy with your Software

Complete List

There is a wiki available with all Programs which known to work and how to set them up ( http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO ), bigger and more complete than this one. The following ones should be only some trivial examples to let you understand what is this about.

Aliases

Another way is to just use some already defined shell-aliases (telnet, scp, ssh etc) to avoid have to setup tor/privoxy for every single application on your box. http://shellscripts.org/project/toraliases

Autoconfigure Some Applications

To make apps that use http such as wget, lynx, curl etc. use tor automatically put this in your ~/.profile, or ~/.bashrc:

File: ~/.profile or ~/.bashrc
http_proxy=http://127.0.0.1:8118/
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY


Examples

Browsing anonymously

Configure your web browser's http proxy to point to: host: 127.0.0.1 port: 8118.

You should also set your SSL proxy to the same configuration, if you want to hide your SSL traffic.

The Tor people are recommending that you send all protocols via privoxy even if it breaks them.

From the Tor FAQ: [1] "Unfortunately, Privoxy only proxies http and https. This means you can't use Privoxy to handle ftp traffic. Worse, if you don't specify any proxy for your ftp traffic, then your browser will connect directly to the ftp site. So a web page can use an img link to an ftp site in order to trick you into revealing your real location!"

You are now browsing anonymously. Or at least you have a better chance of anonymity and are contributing to development of these solutions - the Tor authors specifically say that you should not rely on Tor to provide strong anonymity.

How to use Gaim with tor

Make sure you have privoxy and tor running as explained above.

In Gaim:

Other Network Clients

The above method will work with any network client that is capable of SOCKS proxy, such as x-chat.

IRSSI
$ torify irssi

Do NOT use Tor with Bittorrent clients! The Tor network is only in its infant stages and will not be able to cope with that amount of traffic. Details Here

Firefox Extension

FoxyProxy allows for Wildcard and Regular Expressions parsed from the URL line to automatically choose a Proxy, or not; on an automatic case-by-case basis. It has Out Of Box support for communicating directly with Tor (not recommended, Firefox may report your IP, thusly defeating the whole point), or can be used in conjunction with Privoxy, or any other Proxy of your choice. It does away with the need to pick a Proxy manually, and the annoying tendency for a Proxy (de)selection in one Browser Window/Tab to be carried across all Browser Tabs/Windows, as with other Firefox Proxy Extensions. Eliminates the "Oops" Factor in proxy (de)selection.

There is a handy extension for Firefox, Switchproxy Extension, which facilitates switching between anonymous and non-anonymous modes quickly.

There is also a less general extension, Torbutton, which let you switch only between "direct connection" and tor/privoxy configurations.

Offering Hidden Services

A hidden service is a server on your computer that you make available via tor with a .onion top level domain.

Hidden Services have several known vulnerabilities to being exposed/identified/located which are documented and discussed here: http://www.onion-router.net/Publications/locating-hidden-servers.pdf Steps have been taken. Further study of the results of these steps, or studies of other larger-scale attacks, have not been made yet. The Idea that your Hidden Service will remain Anonymous, is not certain.

A website offered through a hidden service looks like this: http://6sxoyfb3h2nvok2d.onion/tor/SocatHelp. For example, you can access the Tor hidden wiki at: http://6sxoyfb3h2nvok2d.onion/tor/

You can offer hidden services while tor is running as a client or server.

To make your web server available anonymously, edit /etc/tor/torrc and in the hidden services portion add these lines:

File: /etc/tor/torrc
HiddenServiceDir /var/lib/tor/apache_hidden/ 
HiddenServicePort 80 127.0.0.1:80

Now create /var/lib/tor/apache_hidden, chown it to tor:tor (you don't really have to do this, the directory is created by tor if it doesn't exist) and start tor. Look in the file /var/lib/tor/apache_hidden/hostname for the .onion address you want to publish.

Non-HTTP Service

Using tor and privoxy makes offering hidden services for web servers easy, but what if you want to make a non-http service available?

Say you have a mud server running on port 5454 and want to make it available as a hidden service. Follow the above steps, creating a directory named ~/mud_hidden/ instead.

To get to your mud people would use the address 34vss3f3tohrri.onion:5454. But telnet can't use the .onion namespace, so we need to use socat.

$ emerge net-misc/socat
$ socat TCP4-LISTEN:2222,fork SOCKS4A:localhost:34vss3f3tohrri.onion:7878,socksport=9050

Now you can test it by telnet'ing to localhost: 2222. Do this from another machine to verify it's working anonymously.

Note on Client/Server

All of the above steps will enable tor to be used as a client only. In other words you won't be a node and using 20 gigabytes of bandwidth per month, just what you'd normally use by surfing the web.



Privoxy Config

You can access the privoxy web configuration at http://config.privoxy.org/ when privoxy is turned on.

Note on Speed

Browsing through a proxy will slow down your connection. It's not a good idea to use tor with wget (which is used by emerge).

Gentoo Blocks Tor Exit Node Traffic from its Official Distfile Servers (among others), and almost all Official Mirrors. (Note from reader: As of 26th June in 2006 there's no problem with it.)

To turn off proxying for wget, change #use_proxy = on to use_proxy = off in /etc/wget/wgetrc around line 80.

Advanced usage

Offering a tor/privoxy proxy for others

The instructions up to now only cover setting up tor and privoxy on a single computer. Of course, if you administer a network or want to offer a publicly available service, you can do that too. To do that, you must instruct tor and privoxy to listen for connections not only locally, but on a publicly available network address. In the following example I assume a server on a local network, 192.168.0.0/24, with the IP 192.168.0.1. You must make the following modifications additionally to the ones mentioned above:

File: /etc/tor/torrc
SocksBindAddress 192.168.0.1
SocksPolicy accept 192.168.0.0/24
SocksPolicy reject *
File: /etc/privoxy/config
listen-address  192.168.0.1:8118
# replace the line "forward-socks4a / localhost:9050 ." with this:
forward-socks4a / 192.168.0.1:9050 .

Don't forget the period (".") at the end of the line.

Restart tor and privoxy, and set the proxy in the web clients throughout your net to 192.168.0.1:8118.

Running a tor server

If you have a lot of bandwidth, you might want to consider contributing to the tor network by running your node as a tor server. The more servers there are, the better the network works: More servers mean higher bandwidth and better anonymity. There are two ways you can help: Either running a Middleman or an Exit Node. An Exit Node allows traffic to leave the tor network at your server, so that it appears to the outside world that the traffic has come from your computer. Depending on the legislation of your country, this might get you in trouble. If you don't want to risk that, run a Middleman Node. The official documentation is at Configuring a Tor server. Also, you should read the Tor FAQ if you want to run a server. There are a number of issues which are beyond the scope of this wiki. Anyhow, here are the minimal instructions to get you started.

File: /etc/tor/torrc
## This is required, but you can choose the port
ORPort 9001

## Required: A unique handle for this server. Choose one.
Nickname ididntedittheconfig

## The IP or fqdn for this server. Leave commented out and Tor will guess.
## This may be required, if tor cannot guess your public IP.
Address <your.public.ip>

## To limit your bandwidth usage, define this. Note that BandwidthRate
## must be at least 20 KB.
BandwidthRate 20 KB        # Throttle traffic to 20KB/s (160Kbps)
BandwidthBurst 50 KB       # But allow bursts up to 50KB/s (400Kbps)

## If you don't want to run an Exit Node, add this
ExitPolicy reject *:* # middleman only -- no exits allowed

Troubleshooting

The above steps should work for most machines. If you have strict firewall rules you'll need to allow local connections to port 8118 and port 9050. If your firewall blocks outgoing connections, punch a hole so it can connect to TCP ports 80, 443, and 9001-9033.

I also noticed that

File: /etc/privoxy/config
listen-address localhost:8118

might have to be changed to

File: /etc/privoxy/config
listen-address 127.0.0.1:8118

in order to work, possibly because /etc/hosts is missing the localhost entry.

Also only the latest version of tor is likelly to work but that might be masked in portage so add net-misc/tor ~* to your /etc/portage/package.keywords file.

-- Check the logs! --

If you have configure everything correctly but still are having problems please check /var/log/tor/tor.log for more insight. In my case I setup everything correctly but my time was not correct so nothing worked. Please make sure your time is correct as well.

References

Concerns or Compliments? Please use the Discussion section.

Retrieved from "http://www.gentoo-wiki.info/HOWTO_Anonymity_with_Tor_and_Privoxy"

Last modified: Tue, 09 Sep 2008 22:34:00 +0000 Hits: 122,114